Express Scripts Inc. (ESRX), the object of a 2008 extortion attempt by someone threatening to expose personal patient data, started notifying hundreds of thousands of members recently after the extortionist showed evidence of possessing more records than previously thought.

Since the threat was first made public nearly a year ago, the St. Louis-based company, one of the largest U.S. pharmacy benefits managers, has mailed notification letters to approximately 700,000 people, an Express Scripts spokeswoman told Dow Jones Newswires on Wednesday. Most of those letters stemmed from the latest move by the extortionist, as only a few hundred patients received notices last fall.

"These are individuals whose information was contained in data records that we saw [were sent] from the extortionist," said company spokeswoman Maria Palumbo.

The Federal Bureau of Investigation informed Express Scripts in late August "that the perpetrator had recently taken action to prove that he possesses more members' records from the same period as those identified in the 2008 extortion attempt," the company said in an update posted on its member-support Web site in early September.

"Express Scripts is in the process of notifying these members," the company said. "Express Scripts is unaware at this time of any actual misuse of members' information."

The person who illegally obtained member records recently sent a data file to a law firm, which forwarded it to the FBI, according to Palumbo, who wouldn't identify the law firm, other than to say it was one that had filed a lawsuit against the company.

"This is a new development of the same incident that happened last fall," said Palumbo. The thief now has proven the possession of additional records from that time, she explained. The latest development did not include any direct contact with Express Scripts, she said. The data looks consistent with how Express Scripts' data appeared in 2006, according to Palumbo.

The breach came to Express Scripts' attention in October 2008, when the company received an anonymous letter threatening to expose millions of member records on the Internet if an extortion demand wasn't satisfied. The letter included personal data on 75 members of the company's drug-benefit plans, including Social Security numbers, addresses, birth dates and, for some, prescription information. In November, some Express Scripts clients received similar letters involving data on a few hundred individuals.

Express Scripts notified all affected members and the FBI, which started an investigation. The company also established a $1 million reward for information leading to the arrest and conviction of those responsible for the data breach and extortion attempt, and contracted with Kroll Fraud Solutions, part of a Marsh & McClennan Cos. (MMC) unit, to assist members who believe they may be victims of identity theft because of the incident.

"We do feel like we've done what we need to to ensure that an incident like this will not happen again," said Palumbo.

After the most recent development, Express Scripts sent a letter to the New Hampshire attorney general saying it was notifying 1,771 individuals in that state alone that their personal data had been obtained without authorization.

"We did send letters to members across the country," and the company notified all 50 state attorneys general, Palumbo said.

The company said on its site that it "stands firm in our refusal to give in to the demands of the extortionist and will continue to cooperate fully with the FBI in their investigation."

The Express Scripts update and New Hampshire letter were reported in mid-September on databreaches.net, also known as the Office of Inadequate Security, which follows such incidents.

Express Scripts, which doesn't typically release its total membership, has enrollment in the "tens of millions," said Palumbo.

The data breach has occurred as the federal government and the health-care and information-technology industries are pushing for broad adoption of electronic health records and prescriptions and other forms of health IT.

Express Scripts, the third-largest pharmacy benefits manager in the U.S., will expand significantly after its planned acquisition of health insurer WellPoint Inc.'s (WLP) in-house PBM, NextRx, this year. The deal includes a 10-year contract for Express Scripts to provide services to WellPoint, the largest corporate U.S. health insurer by membership.

On the Web:

www.esisupports.com

http://doj.nh.gov/consumer/pdf/express_scripts.pdf

-By Dinah Wisenberg Brin, Dow Jones Newswires; 215-656-8285; dinah.brin@dowjones.com